View online: https://www.drupal.org/node/2480327
* Advisory ID: DRUPAL-SA-CONTRIB-2015-103
* Project: Views [1] (third-party module)
* Version: 7.x
* Date: 2015-April-29
* Security risk: 15/25 ( Critical)
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Views module provides a flexible method for Drupal site designers to
control how lists and tables of content, users, taxonomy terms and other data
are presented.
.... Access bypass due cache inconsistency
Due to an issue in the caching mechanism of Views it's possible that
configured filters loose their effect.
This can lead to exposure of content that otherwise would be hidden from
visitors.
This vulnerability is mitigated by the fact that it can't be exploited
directly but occurs when certain prerequisites meet.
Systems that use in-memory cache backends like redis / memcache are more
likely to be affected by this issue. This is due the common strategy used to
free cache space if the configured memory limit of the cache is reached.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Views 7.x-3.x versions from 7.x-3.5 to 7.x-3.11.
Drupal core is not affected. If you do not use the contributed Views [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.11 [5]
Also see the Views [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Peter Philipp [7]
* Daniel Wehner [8]the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Peter Philipp [9]
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/views
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/views
[5] https://www.drupal.org/node/2480259
[6] https://www.drupal.org/project/views
[7] https://www.drupal.org/user/762870
[8] https://www.drupal.org/user/99340
[9] https://www.drupal.org/user/762870
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2480321
* Advisory ID: DRUPAL-SA-CONTRIB-2015-102
* Project: Smart Trim [1] (third-party module)
* Version: 7.x
* Date: 2015-April-29
* Security risk: 5/25 ( Less Critical)
AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module implements a new field formatter for textfields (text, text_long,
and text_with_summary, if you want to get technical) that improves upon the
"Summary or Trimmed" formatter built into Drupal 7.
The module doesn't sufficiently filter user input via the field settings
form.
This vulnerability is mitigated by the fact that only administrative users
who can administer field types can exploit it.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Smart Trim 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Smart Trim [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the smart_trim module for Drupal 7.x, upgrade to
smart_trim-7.x-1.5 [5]
Also see the Smart Trim [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Tom Lambert [7]
-------- FIXED BY
------------------------------------------------------------
* Mark Casias [8] the module maintainer.
* Greg Knaddison [9] of the Drupal Security Team.
* Damien McKenna [10], provisional member of the Drupal Security Team.
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team.
* Damien McKenna [12], provisional member of the Drupal Security Team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/smart_trim
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/smart_trim
[5] https://www.drupal.org/node/2480289
[6] https://www.drupal.org/project/smart_trim
[7] https://www.drupal.org/user/28229
[8] https://www.drupal.org/user/206687
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/u/damienmckenna
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2480253
* Advisory ID: DRUPAL-SA-CONTRIB-2015-101
* Project: MailChimp [1] (third-party module)
* Version: 7.x
* Date: 2015-April-29
* Security risk: 11/25 ( Moderately Critical)
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The MailChimp module allows you to create and manage mailing lists via
MailChimp's API.
The MailChimp module does not properly sanitize some user input, allowing a
malicious user to embed scripts within a page, resulting in a Cross-site
Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the "administer mailchimp" permission.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* MailChimp 7.x-3.x versions prior to 7.x-3.3.
* MailChimp 7.x-2.x all versions.
* MailChimp 7.x-1.x all versions.
Drupal core is not affected. If you do not use the contributed MailChimp [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the MailChimp module for Drupal 7.x, upgrade to MailChimp
7.x-3.3 [5]
Also see the MailChimp [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Klaus Purer [7] of the Drupal Security Team
* Ide Braakman [8]
-------- FIXED BY
------------------------------------------------------------
* Cooper Stimson [9] the module maintainer
* Dan Ruscoe [10] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/mailchimp
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/mailchimp
[5] https://www.drupal.org/node/2480173
[6] https://www.drupal.org/project/mailchimp
[7] https://www.drupal.org/user/262198
[8] https://www.drupal.org/user/1879760
[9] https://www.drupal.org/user/2944243
[10] https://www.drupal.org/user/2722087
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2475955
* Advisory ID: DRUPAL-SA-CONTRIB-2015-099
* Project: Node Template [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-April-22
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Node Template module enables you to define any node as a node template and it
can be duplicated later.
The module doesn't sufficiently protect some URLs against CSRF. A malicious
user can cause a user with "access node template" permission to delete node
templates by getting their browser to make a request to a specially-crafted
URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
All versions of Node Template module.
Drupal core is not affected. If you do not use the contributed Node Template
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Node Template module you should uninstall it.
Also see the Node Template [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/node_template
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/node_template
[5] https://www.drupal.org/project/node_template
[6] https://www.drupal.org/user/2301194
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2475943
* Advisory ID: DRUPAL-SA-CONTRIB-2015-097
* Project: HybridAuth Social Login [1] (third-party module)
* Version: 7.x
* Date: 2015-April-22
* Security risk: 9/25 ( Less Critical)
AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
HybridAuth Social Login module enables you to allow visitors to authenticate
or login to a Drupal site using their identities from social networks like
Facebook or Twitter.
The module may store user passwords in plain text.
This vulnerability is mitigated by the fact that the option "Ask user for a
password when registering" must be enabled. The information is disclosed to
anyone with access to the database, "administer users" or "administer site
configuration" permission.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.10.
Drupal core is not affected. If you do not use the contributed HybridAuth
Social Login [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the HybridAuth Social Login module for Drupal 7.x, upgrade to
HybridAuth Social Login 7.x-2.10 [5]
Also see the HybridAuth Social Login [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Owen Kelly [7]
* Mike Goulding [8]
-------- FIXED BY
------------------------------------------------------------
* Owen Kelly [9]
* Andrew Berezovsky [10] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/hybridauth
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/hybridauth
[5] https://www.drupal.org/node/2475443
[6] https://www.drupal.org/project/hybridauth
[7] https://www.drupal.org/u/ojkelly
[8] https://www.drupal.org/u/mikeegoulding
[9] https://www.drupal.org/u/ojkelly
[10] https://www.drupal.org/u/duozersk
[11] https://www.drupal.org/user/2301194
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2475953
* Advisory ID: DRUPAL-SA-CONTRIB-2015-098
* Project: Keyword Research [1] (third-party module)
* Version: 6.x
* Date: 2015-April-22
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Keyword Research module enables you to tag and prioritize keywords on a site
and node level basis.
The module doesn't sufficiently protect some URLs against CSRF. A malicious
user can cause another user with "kwresearch admin site keywords" permission
to create, delete and set priorities to keywords by getting their browser to
make a request to a specially-crafted URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Keyword Research 6.x-1.x versions prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Keyword
Research [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Keyword Research module for Drupal 6.x, upgrade to Keyword
Research 6.x-1.2 [5]
Also see the Keyword Research [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Tom McCracken [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/kwresearch
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/kwresearch
[5] https://www.drupal.org/node/2475591
[6] https://www.drupal.org/project/kwresearch
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/user/258411
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2471733
* Advisory ID: DRUPAL-SA-CONTRIB-2015-05
* Project: Display Suite [1] (third-party module)
* Version: 7.x
* Date: 2015-April-15
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Display Suite allows you to take full control over how your content is
displayed using a drag and drop interface.
In certain situations, Display Suite does not properly sanitize some of the
output, allowing a malicious user to embed scripts within a page, resulting
in a Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker has to be able
to configure field display settings, which usually needs a higher level
permission such as administer taxonomy.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Display Suite version 7.x-2.7. Versions prior to Display Suite 7.x-2.7
are
not vulnerable.
Drupal core is not affected. If you do not use the contributed Display Suite
[4] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Display Suite module for Drupal 7.x-2.7, upgrade to
Display
Suite 7.x-2.8 [5]
Also see the Display Suite [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ward Van Hooreweghe [7]
* Bram Goffings [8]
-------- FIXED BY
------------------------------------------------------------
* Bram Goffings [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Ivo Van Geertruyen [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/ds
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/ds
[5] https://drupal.org/node/2471721
[6] https://www.drupal.org/project/ds
[7] https://www.drupal.org/u/hjarnmastara
[8] https://www.drupal.org/u/aspilicious
[9] https://www.drupal.org/u/aspilicious
[10] https://www.drupal.org/u/mr.baileys
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2471879
* Advisory ID: DRUPAL-SA-CONTRIB-2015-096
* Project: Services [1] (third-party module)
* Version: 7.x
* Date: 2015-April-15
* Security risk: 16/25 ( Critical)
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass, Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
Services module enables you to expose an API to third party systems.
.... Access bypass (file upload and execution)
The resource/endpoint for uploading files does not properly sanitize the
filename of uploaded files. This vulnerability is mitigated by the fact that
the "File > Create" resource must be enabled and an attacker must have a role
with the Services "Save file information" permission.
.... Private fields information displayed
Services does not check field_access when displaying entities so some private
field information may be displayed. This vulnerability is only affecting
sites using the field_permissions module configured to hide fields from
anonymous users.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
Services 7.x-3.x versions prior to 7.x-3.12.
Drupal core is not affected. If you do not use the contributed Services [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version of Services: Services 7.x-3.12 [5].
As a reminder, Services for Drupal 6 is no longer maintained.
Also see the Services [6] project page.
-------- REPORTED BY
---------------------------------------------------------
.... Access Bypass/file upload
* Fabian Franz [7]
* Bevan Rudge [8]
.... Private fields information displayed
* giorgio79 [9]
-------- FIXED BY
------------------------------------------------------------
.... Access Bypass/file upload
* Bevan Rudge [10]
.... Private fields information displayed
* Kyle Browning [11] module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Ben Dougherty [12] of the Drupal Security Team
* Stéphane Corlosquet [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [18]
[1] https://www.drupal.org/project/services
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/services
[5] https://www.drupal.org/node/2471847
[6] https://www.drupal.org/project/services
[7] https://www.drupal.org/u/fabianx
[8] https://www.drupal.org/u/bevan
[9] https://www.drupal.org/user/235790
[10] https://www.drupal.org/u/bevan
[11] https://www.drupal.org/u/kylebrowning
[12] https://www.drupal.org/u/benjy
[13] https://www.drupal.org/u/scor
[14] https://www.drupal.org/contact
[15] https://www.drupal.org/security-team
[16] https://www.drupal.org/writing-secure-code
[17] https://www.drupal.org/security/secure-configuration
[18] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2467697
* Advisory ID: DRUPAL-SA-CONTRIB-2015-094
* Project: CiviCRM private report [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-April-08
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
CiviCRM private report module enables users to create their own private
copies of CiviCRM reports, which they can modify and save to meet their needs
without requiring the "Administer reports" permission.
The module doesn't sufficiently protect some links against CSRF. A malicious
user can cause another user to delete reports by getting their browser to
make a request to a specially-crafted URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* CiviCRM private report 6.x-1.x versions prior to 6.x-1.2.
* CiviCRM private report 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed CiviCRM
private report [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the CiviCRM private report module for Drupal 6.x, upgrade to
CiviCRM private report 6.x-1.2 [5]
* If you use the CiviCRM private report module for Drupal 7.x, upgrade to
CiviCRM private report 7.x-1.3 [6]
Also see the CiviCRM private report [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* TwoMice [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/civicrm_private_report
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/civicrm_private_report
[5] https://www.drupal.org/node/2467635
[6] https://www.drupal.org/node/2467631
[7] https://www.drupal.org/project/civicrm_private_report
[8] https://www.drupal.org/user/2301194
[9] https://www.drupal.org/user/600924
[10] https://www.drupal.org/user/2301194
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2463949
* Advisory ID: DRUPAL-SA-CONTRIB-2015-093
* Project: User Import [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-April-01
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
This module enables the import of users into Drupal, or the update of
existing users, with data from a CSV file (comma separated file).
Some management URLs were not properly protected. A malicious user could
trick an administrator into continuing or deleting an ongoing import by
getting them to request certain URLs, thereby leading to a Cross Site Request
Forgery (CSRF) vulnerability.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* User Import 6.x-2.x versions prior to 6.x-4.4
* User Import 7.x-2.x versions prior to 7.x-2.3
Drupal core is not affected. If you do not use the contributed User Import
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the User Import module for Drupal 6.x, upgrade to User Import
6.x-4.4 [5]
* If you use the User Import module for Drupal 7.x, upgrade to User Import
7.x-2.3 [6]
Also see the User Import [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Robert Castelo [9] module maintainer and member of the Drupal Security
Team
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/user_import
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/user_import
[5] https://www.drupal.org/node/2463943
[6] https://www.drupal.org/node/2463941
[7] https://www.drupal.org/project/user_import
[8] https://www.drupal.org/user/2301194
[9] https://www.drupal.org/user/3555
[10] https://www.drupal.org/user/2301194
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity